This campaign is especially significant in that it ties to the dominant password stealing malware on the planet today, called "Zbot", which is short for the "Zeus Botnet". In this particular set of malware, the stolen login credentials are sent to the Ukrainian IP address 91.206.201.6, using the domain name "labormi.com".

This malware is especially interesting because it is clearly associated with a set of phishing sites which have been the most heavily spammed phishing campaign for a long time. Currently there is an active Bank of America phishing campaign and an active JP Morgan Chase phishing campaign using the same domain names as the Microsoft Critical Update malware distribution campaign:

Detecting ZBot Activity on your Network

One of the primary indicators of ZBot activity may be a computer which is fetching a ".bin" file from a remote computer. Zeus nodes do "context specific" keylogging. They are configured by updating a ".bin" file, which, after being decoded by the bot, will reveal a particular list of websites for which this node is supposed to steal passwords. In most cases, these are financial institution's websites. In addition to stealing passwords, injection of additional "personal information" questions is possible.

If you have nodes on your network downloading ".bin" files, it would be a good idea to do a google search using that domain name to see if you can find evidence that this is a Zeus node or Zbot node. For example, after being infected with the fake Microsoft Update malware above, our computers make a connection to "labormi.com" and fetch a file "lbr.bin". If we search Google for "labormi.com" and "zeus" we would quickly be able to see that this is a known Zeus controller, and we would know that the computer fetching this file is infected with a ZBot.

Other malware in the mail

There were several other malware-laden email messages we received today, just look at this inbox!!!

These messages looked like this . . .

"Unluckily we can't bring your parcel that was sent . . . "

Even more unluckily if you install the invoice they ask you to click on from:

http://ribboninn.com/ djellow.exe

Another email, pretending to be a fake "greeding card" (yeah, fooled me!) also linked to a "djellow" executable:

using the website http://76380.webhosting29.1blu.de/

Why would the malware be named "djellow.exe"? Because it also is a ZBot installer. And where is it's Zeus controller? Why on the website "djellow.com" of course!

But here is the best part . . .

The IP address for djellow.com? 91.206.201.6 ! The same as the Zeus controller for the fake Microsoft update!

We also received a ZBot claiming to be a "Statement Request".

this one asks us to "look at the statement on your account. The statement was issued today upon request, and your data has been successfully altered."

Of course the link to http://artemaliciacapoeira.be (slash) rep_7330.exe is yet another ZBot install!

Our last ZBot of the day came in looking like this:

and came from the site:

http://javiercubel.com (slash) video.exe

File size: 82432 bytesMD5 : 4456e181232270adf022f682e8595ef3

This one turns out to be a slightly older ZBot. VirusTotal reports its detected by more than half of the 41 Anti-virus products they test -